General Information

Execution of Dormant Server Controls in Unprotected Callbacks

Variants:
Direct 

Also Known As:
EodSec

Vector Type:
Attack

Relevance:
Technology Specific

Layer:
Application-Level

Platforms:
ASP.Net, Mono, JSF

Target Type:
Web Application

Affected Mechanisms:
Privilege Validation, Digital Signatures, Web Application Configuration

Invented In:
15/03/2013

Added In:
04/12/2014


Vector Operation Method:
Execute dormant events of invisible or disabled server-side web controls by sending the control name hidden parameter and abusing missing event validation code in a custom callback implementation.


Direct Variant:

Execution of Dormant Server Controls in Unprotected Callbacks

Variant Title:
Execution of Dormant Server Controls in Unprotected Callbacks

Typical Severity:
Major

Learn More: